CVE-2004-2069

Vulnerability

In sshd.c of OpenSSH versions 3.6.1p2 and 3.7.1p2 (and possibly other versions), when privilege separation is enabled, the privileged monitor process does not properly signal the non-privileged child process after a session exceeds the LoginGraceTime timeout. The alarm/SIGALRM mechanism that enforces the timeout terminates the privileged side but leaves the unprivileged child unaware, so the TCP connection remains in an ESTABLISHED state [3].

Exploitation

An unauthenticated remote attacker can initiate an SSH connection and simply withhold authentication until the LoginGraceTime interval expires. The server logs a timeout but the connection is not fully torn down; netstat shows the socket still established. By repeating this process, the attacker can consume all available connection slots up to the MaxStartups limit, preventing new legitimate connections [3].

Impact

Successful exploitation results in a denial of service (DoS): the SSH daemon becomes unable to accept new connections, blocking all remote administration and file transfers. No authentication or special privileges are required, and the attack can be launched from any network position that can reach the SSH port [3].

Mitigation

Red Hat released updated openssh packages in RHSA-2005-550 [4] that backport a fix for this issue. Upgrading to a patched version (e.g., OpenSSH 3.8 or later) resolves the vulnerability. As a workaround, administrators can disable privilege separation (UsePrivilegeSeparation no) in sshd_config, though this reduces security. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities catalog.